31 Dec 2021

Update of unpackers

Enigma Virtual Box unpacker

There are plenty of changes.

  • Properly detect versions 9.50..9.90
  • Unpacks files packed with 9.80 and 9.90
  • Added command-line parameter "/nodiskspace", as requested by some users. If it crashes during unpacking because it ran out of disk space, it's your problem.
  • Unpacker properly handles invalid input filename

Molebox 2.x unpacker

  • Support more versions of very old Molebox
  • Unpacking files with digital signatures should be improved
  • Some rare bugs have been fixed

Autoplay Media Studio unpacker

  • Added support for AMS version 8.5.3.0.
  • Support for Imagine MemoryEx encrypted files, as requested by someone.

What is MemoryEx?

MemoryEx is a plugin released by Imagine Programming, allowing for more advanced operations from within the Lua environment you will find in Autoplay Media Studio 8.

While it's not a very common plugin, there are several niche programs which use this plugin. For example, most programs from dindroid.com use it.

When you unpack such file, please pay attention to the "Found protected file" messages:

As you can see, unpacker created some .luac files.

Next, you will need to find a LUA decompiler and decompile these files. I suggest you try unluac, luadec or whichever LUA decompiler you prefer.

Decompiler should produce .lua file which contains all the interesting stuff. For example, part of G-Nerator code looks like this:

That's all folks, have fun using it!

As always - if you notice any bugs, please report them. And most importantly - Happy New Year everybody! smile

42 thoughts on “Update of unpackers

  1. Hello, i want to unpack an .exe file but none of these unpackers worked, whats the solution for my problem?
    The file in question is this:
    {hidden link}

    • Hi,
      your file is packed first with Molebox 2.x and then Enigma Protector. There is no automatic unpacker for Enigma Protector.

      If you manually unpack Enigma Protector, then my unpacker will be able to unpack Molebox and extract all the files.

      Easier solution would be to use Virtual File System Editor by Extreme Coders. It will unpack all embedded files but not the main executable.

      • Hello kao , just want to ask about Virtual file System Editor - By Extreme coders. Is it the same method in your unpacker?

        • No, they are totally different.

          Virtual File System Editor needs you to run the file and then extracts data files from process memory. Benefits - it can handle unknown protections or combinations of packers. Drawbacks - it can't unpack main file and it's not safe to use on malicious files.

          All my unpackers are static - they never run the file. So, they are safer to use but can only extract files from known protections. They can also extract main file and bundled registry keys.

  2. Great, after upgrading the latest version of enigma 0.59, the exe that could not be unpacked before can finally be unpacked, I hope it gets better and better!

  3. Hey Kao! Nice to see you still updating Enigma VB Unpacker, i got a file which DIE said it's Enigma VB, but can't unpack it with your tools.. do you think it's a different protector? If you could tell me a way to get it i would be so glad, thanks.

    Here is the file: {hidden link}

      • As it happens quite often, DIE is wrong. :) Your file is protected with Themida.

        EDIT: possibly Themida in combination with Enigma Protector. In either case, it's not Enigma VirtualBox.

          • As far as I know, there are no automatic tools or scripts for x64 Themida and Enigma. You would have to make your own.

            I don't have such tools either, so there is not much I can help you with.

  4. Plus, the file is .NET (csharp), so.. we don't need to use any script at all, don't we? Just trying to dump it.

  5. Nice work on these tools. I think this is the first LH tool I've seen.
    Just a remark; you forgot to unpack the assemblies in the LH file.

    • Hi,
      it's rare to see a protection author to visit my blog. Welcome! :)

      I did not unpack embedded assemblies because I was unaware of such feature. I'll happily update the unpacker - just need to find some example file first..

      • Hi :) MemoryEx can load LH modules compiled with IMXLH, they are designed for modularity and less about protection. The "protection" is more obfuscation and a bonus, but the intended purpose was deploying modules of code that include a lot of MemoryEx features (FFI, OS interfacing, structure definitions etc).

        I also do occasional malware/sample analysis and for that purpose I also wrote an unpacker that unpacks AMS8 binaries back to .autoplay project files, therefore I am interested in such tooling. I'm currently also in the process of writing a vastly featured lua disassembler (luadis) that can output information about compiled Lua chunks with some static analysis.

        I'm obviously not going to give away the exact format of LH files, however an LH module consists of a Lua chunk (which you have found), none or many assembled pieces of machine code (x86, relocatable) and a verification section that prevents the default MemoryEx build from loading a file in certain situations. You can generate samples yourself if you install the free version of IMXLH, here's some source code of LH modules with machine code routines: {hidden link}

        It would be cool if you'd pitch me an email if you have a version that works on the assemblies too.

  6. Seems like EVBunpacker unable to extract new images from the game credited by RPG MZ. Just like

    %\www\img\pictures\1アイリン普通3.png failed, probably corrupted executable!
    [+] File "C:\Users\Justi\Desktop\テイルver0.6\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png", size=0x6D8C
    [x] Extraction of file
    C:\Users\Justi\Desktop\テイルver0.6\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png` failed, probably corrupted executable!

    This pack is related to RPG MZ and image formats in that could include encrypted format like ".rpgmvp" ".png_" or just simple ".png"
    I'm frustrating and I don't know why .png can't be extracted. Maybe the actual formats of those images is ".png_" and the "_" is undetectable in common extractor. None of the images in this game pack could be extracted.

    Here is the link of the game
    {hidden link}

    • Hi CHANS,
      it's working fine for me, no errors:
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通.png", size=0x6C57
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通2.png", size=0x6C5C
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通3.png", size=0x6DBC
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png", size=0x6D8C
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ2.png", size=0x6D0A
      [+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ笑.png", size=0x6BF7

      I'd still love to fix the issue if possible.

      Could you please try this test version of unpacker and tell me what error message you get?
      I would expect something like these:

      [x] ForceDirectories F:\%DEFAULT FOLDER%\ failed!

      or

      [x] Problem on line 3, message Cannot create file "F:\%DEFAULT FOLDER%\notification_helper.exe". Access is denied

      Once we know why it's failing for you, I'll try to figure out the proper fix.

      • I found that errors only occur in extracting on desktop but work fine on D: and E:

        When extract the game on desktop:
        [x] Problem on line 3, message Cannot create file "C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ハニービー.png". Access Denial.
        [x] Extraction of file C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ハニービー.png failed, probably corrupted executable!
        [+] File "C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ヒュプノ.png", size=0x51E9

  7. I was trying to break a AMS exe and I got to this point.

    For LH files that are inside the .exe (packed) what can I do? I know the name of the LH file and the function call, can I get the code of that function somehow?

    I can run live lua code in that AMS .exe THEN do you think there is a way after loading the LH file to download it as txt or a similar option to get it?

    I find your blog very interesting, because of the way you explain it. keep it up

    • If you know name of the file, you can use Virtual File System Editor by Extreme Coders to extract the file from the running process.

        • Depends which file virtualization solution was used and with what settings. If you could send me a link to your file, I'll try to find time and take a look.

  8. Thank you for creating such a wonderful Enigma unpacker. While it does work on some enigma VirtualBox protected files, it does not on some. A file has two sections .enigma1 and .enigma2 but when trying to unpack I am provided with this:

    EnigmaVBUnpacker v0.59, compiled on 29-12-2021 20:57
    Supports Enigma Virtual Box v4.10..9.90
    Latest version always on https://lifeinhex.com

    [+] Filename: DorkR_PTO\DorkR_PTO.exe
    [+] MD5: c6b2d994e408787aafa43f75ed7529bc
    [+] x64 executable
    [x] Expected section name ".enigma2", found ".rsrc"
    [x] This file is not protected with Enigma Virtual Box or is hacked.

    I have uploaded an image of enigma VBUnpacker + EXEInfo side by side: {hidden link}

    If you want to look at this file that would be great. Download is available here: {hidden link}

    Thank you!

    • This file is not protected with Enigma Virtual Box or is hacked.

      In your case, your file is protected with Enigma Protector, which is a totally different software and is not supported by my unpacker.

      • I'm sorry, I don't have much free time lately.

        From the quick look, you can place your own lua5.1.dll next to the EXE file, make it read-only and then Winlicence will not replace it.

        Hope that helps.

        • Thanks for replying, but in fact I tried it and it doesn't work, it says it could not load the lua5.1.dll file. it doesn't replace it but it doesn't load it either.

        • can you get the name by causing an error in the plugin when calling it? I can't think of any other option

  9. Enigma unpacker said that the dll I gave it is protected by Enigma protector and not enigma virtual machine...

  10. I've successfully used Enigma unpacker 0.56 with an older version of Wine before, but now it's not working. I tried Enigma unpacker 0.59 and 0.56.
    After selecting an exe and clicking "Unpack" Enigma unpacker crashes as soon as it says "[i] Loading large file, it might take some time..."
    The exe I tried to extract is 1.3 GB so I tried a smaller one that worked before but the same thing happens.
    {hidden link}

    • Hi Guy, I'm not sure you entered a real email address, so I'll answer here. If you're interested in a longer discussion, please feel free to email me.

      Based on the log you provided, this is the problematic code:

      If you would like to try, here is a test program that tries to create a temp file. I'm guessing it will fail on your system, even though in my Ubuntu it works just fine:

      I will try to improve my GUI, so that the error message is actually visible. However, I can't fix Fedora/Wine issues, they are beyond my control.

      • Gave that a try, and it worked.

        $ wine test_tempfile.exe
        002c:fixme:winediag:LdrInitializeThunk wine-staging 7.12 is a testing version containing experimental patches.
        002c:fixme:winediag:LdrInitializeThunk Please mention your exact version when filing bug reports on winehq.org.
        Creating temp file C:\users\user\Temp\EVBa432.tmp
        All OK
        Press ENTER to close

        I gave Enigma unpacker a go again with the exe I tried earlier and it worked this time. Nothing Wine related changed since I first posted, so I have no idea what happened. Very strange!
        Thanks for your response.

  11. I am trying to unpack an x64 exe that I suspect is packed with VirtualBox. When I try to unpack the exe, I get the following output:
    [+] x64 executable
    [x] Expected section name ".enigma2", found ".rsrc"
    [x] This file is not protected with Enigma Virtual Box or is hacked.

    And if I scan the exe with DiE it shows .enigma1 and .enigma2 sections which can be seen here:

    exe is here: {hidden link}
    Thank you!

    • Hi there,
      your file is protected with Enigma Protector - a different software from the same author. Enigma Protector is not supported by my unpacker and I have no plans to change that.

  12. Hello,

    Whats is the .NET Framework Target for your AMSUnpacker v0.4.1.36034 ?

    Installed .NET Framework versions:
    · Microsoft .NET Framework v3.5 SP1
    · Microsoft .NET Framework v4.0.3

    It is not working on Windows XP SP3.

    .NET Runtime Error:
    Application: AMSUnpacker.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.Threading.SynchronizationLockException
    Stack:

    Thanks in advanced.

  13. Hello, this file can't be decrypted. Please help me. There are many game characters and scenes in it. Thank you for decrypting the largest file

    download:
    {hidden link}

    • I works just fine for me, as you can see in the screenshot.

      If you can provide me with more information about your system and what exactly you did, I can try to reproduce the issue. Otherwise there's nothing I can do to help.

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

6  +   =  11